Google extends vulnerability bounties to Android

Alexey Zhukov

09:55, June 17, 2015

Google's "Vulnerability Reward Program" has been incentivizing people to report security bugs to the tech giant for its Web services, apps, extensions, Chrome, and Chrome OS for some time now. Today the company announced that it's extending the cash-for-bugs program to its biggest operating system: Android.

The program doesn't cover any Android device, just new devices that Google is 100% responsible for: current, for sale, Nexus devices. For now, that means the Nexus 6 and Nexus 9. Google says that this "makes Nexus the first major line of mobile devices to offer an ongoing vulnerability rewards program."

Google will pay researchers not only for bug disclosures—it offers additional rewards tiers for test cases submitted with the bug, CTS tests that catch the bug, and AOSP patches that fix the bug. "CTS" is Android's "Compatibility Test Suite," the continually updated battery of tests all devices must pass in order to gain access to the Google Play Store. CTS tests ensure that a device and its software are Android-compatible and free of known vulnerabilities, ensure platform API correctness, and follow Google's mandatory (and minimal) UI practices for readability and consistency.

Google pays anywhere from $0 to $2,000 for a bug submission, depending on the severity level, and when combined with test cases, unit tests, and AOSP patches, offers a max payout of $8,000. In addition to the reward levels, there are also huge bonuses available if you compromise the kernel, TEE (TrustZone), or the Verified Boot process. For the worst possible scenario of remotely compromising TrustZone or Verified boot, Google is offering a $30,000 reward.

Google says it paid "more than 1.5 million dollars" to security researchers last year under the bug bounty program. The company is also a sponsor of the annual pwn2own hacking competition and plans to support other Android vulnerability contests in the future.